mirror of
https://github.com/gravitl/netmaker.git
synced 2025-09-06 05:04:27 +08:00
Abhishek K
GitHub
commit
c1e36f9a90
4 changed files with 19 additions and 173 deletions
170
logic/acls.go
170
logic/acls.go
|
|
@ -1054,176 +1054,6 @@ func IsNodeAllowedToCommunicateV1(node, peer models.Node, checkDefaultPolicy boo
|
|||
return false, allowedPolicies
|
||||
}
|
||||
|
||||
// IsNodeAllowedToCommunicate - check node is allowed to communicate with the peer
|
||||
func IsNodeAllowedToCommunicate(node, peer models.Node, checkDefaultPolicy bool) (bool, []models.Acl) {
|
||||
var nodeId, peerId string
|
||||
if node.IsStatic {
|
||||
nodeId = node.StaticNode.ClientID
|
||||
node = node.StaticNode.ConvertToStaticNode()
|
||||
} else {
|
||||
nodeId = node.ID.String()
|
||||
}
|
||||
if peer.IsStatic {
|
||||
peerId = peer.StaticNode.ClientID
|
||||
peer = peer.StaticNode.ConvertToStaticNode()
|
||||
} else {
|
||||
peerId = peer.ID.String()
|
||||
}
|
||||
|
||||
var nodeTags, peerTags map[models.TagID]struct{}
|
||||
if node.Mutex != nil {
|
||||
node.Mutex.Lock()
|
||||
nodeTags = maps.Clone(node.Tags)
|
||||
node.Mutex.Unlock()
|
||||
} else {
|
||||
nodeTags = node.Tags
|
||||
}
|
||||
if peer.Mutex != nil {
|
||||
peer.Mutex.Lock()
|
||||
peerTags = maps.Clone(peer.Tags)
|
||||
peer.Mutex.Unlock()
|
||||
} else {
|
||||
peerTags = peer.Tags
|
||||
}
|
||||
if nodeTags == nil {
|
||||
nodeTags = make(map[models.TagID]struct{})
|
||||
}
|
||||
if peerTags == nil {
|
||||
peerTags = make(map[models.TagID]struct{})
|
||||
}
|
||||
nodeTags[models.TagID(nodeId)] = struct{}{}
|
||||
peerTags[models.TagID(peerId)] = struct{}{}
|
||||
if checkDefaultPolicy {
|
||||
// check default policy if all allowed return true
|
||||
defaultPolicy, err := GetDefaultPolicy(models.NetworkID(node.Network), models.DevicePolicy)
|
||||
if err == nil {
|
||||
if defaultPolicy.Enabled {
|
||||
return true, []models.Acl{defaultPolicy}
|
||||
}
|
||||
}
|
||||
}
|
||||
allowedPolicies := []models.Acl{}
|
||||
// list device policies
|
||||
policies := listDevicePolicies(models.NetworkID(peer.Network))
|
||||
srcMap := make(map[string]struct{})
|
||||
dstMap := make(map[string]struct{})
|
||||
defer func() {
|
||||
srcMap = nil
|
||||
dstMap = nil
|
||||
}()
|
||||
for _, policy := range policies {
|
||||
if !policy.Enabled {
|
||||
continue
|
||||
}
|
||||
srcMap = convAclTagToValueMap(policy.Src)
|
||||
dstMap = convAclTagToValueMap(policy.Dst)
|
||||
_, srcAll := srcMap["*"]
|
||||
_, dstAll := dstMap["*"]
|
||||
if policy.AllowedDirection == models.TrafficDirectionBi {
|
||||
if _, ok := srcMap[nodeId]; ok || srcAll {
|
||||
if _, ok := dstMap[peerId]; ok || dstAll {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
continue
|
||||
}
|
||||
|
||||
}
|
||||
if _, ok := dstMap[nodeId]; ok || dstAll {
|
||||
if _, ok := srcMap[peerId]; ok || srcAll {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
continue
|
||||
}
|
||||
}
|
||||
}
|
||||
if _, ok := dstMap[nodeId]; ok || dstAll {
|
||||
if _, ok := srcMap[peerId]; ok || srcAll {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
continue
|
||||
}
|
||||
}
|
||||
for tagID := range nodeTags {
|
||||
allowed := false
|
||||
if _, ok := dstMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok || dstAll {
|
||||
if srcAll {
|
||||
allowed = true
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
for tagID := range peerTags {
|
||||
if _, ok := srcMap[tagID.String()]; ok {
|
||||
allowed = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if allowed {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
if _, ok := srcMap[tagID.String()]; ok || srcAll {
|
||||
if dstAll {
|
||||
allowed = true
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
for tagID := range peerTags {
|
||||
if _, ok := dstMap[tagID.String()]; ok {
|
||||
allowed = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if allowed {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
}
|
||||
for tagID := range peerTags {
|
||||
allowed := false
|
||||
if _, ok := dstMap[tagID.String()]; ok || dstAll {
|
||||
if srcAll {
|
||||
allowed = true
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
for tagID := range nodeTags {
|
||||
|
||||
if _, ok := srcMap[tagID.String()]; ok || srcAll {
|
||||
allowed = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if allowed {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
|
||||
if _, ok := srcMap[tagID.String()]; policy.AllowedDirection == models.TrafficDirectionBi && ok || srcAll {
|
||||
if dstAll {
|
||||
allowed = true
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
for tagID := range nodeTags {
|
||||
if _, ok := dstMap[tagID.String()]; ok {
|
||||
allowed = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if allowed {
|
||||
allowedPolicies = append(allowedPolicies, policy)
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if len(allowedPolicies) > 0 {
|
||||
return true, allowedPolicies
|
||||
}
|
||||
return false, allowedPolicies
|
||||
}
|
||||
|
||||
// SortTagEntrys - Sorts slice of Tag entries by their id
|
||||
func SortAclEntrys(acls []models.Acl) {
|
||||
sort.Slice(acls, func(i, j int) bool {
|
||||
|
|
|
|||
|
|
@ -874,14 +874,21 @@ func GetExtPeers(node, peer *models.Node) ([]wgtypes.PeerConfig, []models.IDandA
|
|||
}
|
||||
|
||||
func getExtPeerEgressRoute(node models.Node, extPeer models.ExtClient) (egressRoutes []models.EgressNetworkRoutes) {
|
||||
egressRoutes = append(egressRoutes, models.EgressNetworkRoutes{
|
||||
r := models.EgressNetworkRoutes{
|
||||
PeerKey: extPeer.PublicKey,
|
||||
EgressGwAddr: extPeer.AddressIPNet4(),
|
||||
EgressGwAddr6: extPeer.AddressIPNet6(),
|
||||
NodeAddr: node.Address,
|
||||
NodeAddr6: node.Address6,
|
||||
EgressRanges: extPeer.ExtraAllowedIPs,
|
||||
})
|
||||
}
|
||||
for _, extraAllowedIP := range extPeer.ExtraAllowedIPs {
|
||||
r.EgressRangesWithMetric = append(r.EgressRangesWithMetric, models.EgressRangeMetric{
|
||||
Network: extraAllowedIP,
|
||||
RouteMetric: 256,
|
||||
})
|
||||
}
|
||||
egressRoutes = append(egressRoutes, r)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -228,6 +228,13 @@ func updateNodes() {
|
|||
|
||||
}
|
||||
}
|
||||
extclients, _ := logic.GetAllExtClients()
|
||||
for _, extclient := range extclients {
|
||||
if extclient.Tags == nil {
|
||||
extclient.Tags = make(map[models.TagID]struct{})
|
||||
logic.SaveExtClient(&extclient)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func removeInterGw(egressRanges []string) ([]string, bool) {
|
||||
|
|
|
|||
|
|
@ -50,7 +50,9 @@ type CustomExtClient struct {
|
|||
}
|
||||
|
||||
func (ext *ExtClient) ConvertToStaticNode() Node {
|
||||
|
||||
if ext.Tags == nil {
|
||||
ext.Tags = make(map[TagID]struct{})
|
||||
}
|
||||
return Node{
|
||||
CommonNode: CommonNode{
|
||||
Network: ext.Network,
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue